Subject: Very probable remote root vulnerability in cfengine (fwd)
To: , <packages@netbsd.org>
From: None <abs@purplei.com>
List: tech-security
Date: 10/02/2000 17:49:52
  by mail.netbsd.org with SMTP; 2 Oct 2000 16:50:39 -0000
	by mono.org (8.11.0/8.10.1) id e92Gnvi15145;
	Mon, 2 Oct 2000 17:49:57 +0100 (BST)
Date: Mon, 2 Oct 2000 17:49:52 +0100 (BST)
From: <abs@purplei.com>
To: <tech-security@netbsd.org>, <packages@netbsd.org>,
   <security-officer@netbsd.org>
Subject: Very probable remote root vulnerability in cfengine (fwd)
Message-ID: <Pine.NEB.4.29.9999.0010021744380.13888-200000@localhost>
MIME-Version: 1.0
Content-Type: MULTIPART/Mixed; BOUNDARY="1589707168-1171649858-970422716=:9658"
Content-ID: <Pine.LNX.4.21.0010012132381.10078@netcore.fi>

  This message is in MIME format.  The first part should be readable text,
  while the remaining parts are likely unreadable without MIME-aware tools.
  Send mail to mime@docserver.cac.washington.edu for more info.

--1589707168-1171649858-970422716=:9658
Content-Type: TEXT/PLAIN; CHARSET=ISO-8859-1
Content-Transfer-Encoding: QUOTED-PRINTABLE
Content-ID: <Pine.LNX.4.21.0010012132382.10078@netcore.fi>

=09Updated pkgsrc version (now 1.5.3nb3) just in case.
=09   Always pass %s to syslog to avoid potential format string exploit.
           (Action based on alert by Pekka Savola on Bugtraq)

=09What is the procedure for updating the vulnerabilities list?


=09=09David/absolute
=09=09=09=09       -- www.netbsd.org: No hype required --

---------- Forwarded message ----------
Date: Mon, 2 Oct 2000 09:56:30 +0300
From: Pekka Savola <pekkas@NETCORE.FI>
To: BUGTRAQ@SECURITYFOCUS.COM
Subject: Very probable remote root vulnerability in cfengine

PROBLEM:
--------
cfd daemon in GNU CFEngine ( http://www.iu.hioslo.no/cfengine/ ) contains
several format string vulnerabilities in syslog() calls.  Everyone, or
if access controls are being used, accepted hosts, can inject the network
daemon with a message causing segmentation fault.  As cfd is almost always
run as root due to it's nature (centralized configuration management
etc.), this can be quite lethal and lead into a root compromise.

AUTHOR INTERACTION:
-------------------

Notified the author on 1st Oct 2000 and worked with him.  Different fix
was applied to the newly released 1.6.0.a11 (alpha version).

I got the impression that there isn't going to be an official fix for
1.5.x releases.

VERSIONS AND PLATFORMS AFFECTED:
--------------------------------

Every recent version except 1.6.0a11 released on 1st Oct 2000.

1.5.x and 1.6.0a10 were tested on Red Hat Linux; however, this is not
part of Red Hat Linux or Powertools.  Debian, at least, includes cfengine
as a package.

I briefly tried to reproduce this on FreeBSD 3.4 or 4.1 -- no luck; I
wouldn't be surprised if it was exploitable some way or the other
though.

Not tested on other non-Linux platforms, but if you run cfd I suggest you
check it out no matter the platform.

DETAILS:
--------

If access controls are used (this is not the default) in cfd.conf or
equivalent, the attacker must have access to an allowed system
first.   Spoofing would probably also yield similar results; the fact
that there doesn't need not to be any reply from the server makes it
easier.

Segmentation fault can be induced as follows:

-----
$ telnet cfdserver 5308
Trying x.y.z.w...
Connected to cfdserver.some.domain.
Escape character is '^]'.
CAUTH 1.1.1.1 myhostname root %s%s%s%s%s%s%s%s
^]
telnet> quit
Connection closed.
-----
where 1.1.1.1 is your IP address and myhostname is some resolvable
hostname.

A longer string of %s's can also be used if that doesn't produce good
results.

If the %s string is not long enough, string like the following will be
syslogged; this doesn't look good:
-----
cfdserver cfd[11330]: Reverse hostname lookup failed, host
claiming to be 1.1.1.1 myhostname root
cfdserver.some.domain(null)1.1.1.1 nev^M  was 1.1.1.1 s%s%s^M
^A=FB=BD^Q=C0=D8=C0=F4=FC=BF0=BC^D^H=C0j ^H=FA=EC=BF^H=FD=BF=C0j
-----

In the end, cfd dies in a segmentation fault.

As you can set %s%s%s freely, and it's passed almost without checking
as-is to syslog(), it shouldn't be too difficult for Joe
Hacker to exploit this.

Also, other components of cfengine use the same logging functions, so
a local root exploit could also be possible but those aren't as
interesting as this and will be fixed at the same time.

EXPLOIT:
--------

Not my business; I'm sure someone will produce one sooner or later though.

WORKAROUND:
-----------

Enable access controls in cfd.conf and/or firewall off TCP port
5308.  These can't be considered _good_ workarounds as users in the
local network/legit hosts can still exploit the service.

PATCH:
------

"Standard" patch to syslog calls included.  It applies quite cleanly to
both 1.5.x and 1.6.0aXX.

CREDITS:
--------

The vulnerability was found by Pekka Savola <pekkas@netcore.fi> while
doing a minor audit on cfengine in the light of format string
vulnerabilities.

--
Pekka Savola                 "Tell me of difficulties surmounted,
Pekka.Savola@netcore.fi      not those you stumble over and fall"

--1589707168-1171649858-970422716=:9658
Content-Type: TEXT/PLAIN; CHARSET=US-ASCII; NAME="cfengine-1.6.0.a10-syslog.patch"
Content-Transfer-Encoding: BASE64
Content-ID: <Pine.LNX.4.21.0010012051560.9658@netcore.fi>
Content-Description: 
Content-Disposition: ATTACHMENT; FILENAME="cfengine-1.6.0.a10-syslog.patch"

ZGlmZiAtdU5yIGNmZW5naW5lLTEuNi4wLmExMC5vcmlnL3NyYy9sb2cuYyBj
ZmVuZ2luZS0xLjYuMC5hMTAvc3JjL2xvZy5jDQotLS0gY2ZlbmdpbmUtMS42
LjAuYTEwLm9yaWcvc3JjL2xvZy5jCVdlZCBTZXAgIDYgMTQ6NDM6MDMgMjAw
MA0KKysrIGNmZW5naW5lLTEuNi4wLmExMC9zcmMvbG9nLmMJU3VuIE9jdCAg
MSAyMDowOTowOSAyMDAwDQpAQCAtNzEsMTIgKzcxLDEyIEBADQogCQkgICAg
IA0KIAkJICAgICBpZiAoTE9HR0lORyAmJiBJc1ByaXZpbGVnZWQoKSkNCiAJ
CQl7DQotCQkJc3lzbG9nKExPR19FUlIsc3RyaW5nLFZGUU5BTUUpOw0KKwkJ
CXN5c2xvZyhMT0dfRVJSLCIlcyIsc3RyaW5nLFZGUU5BTUUpOw0KIA0KIAkJ
CWlmIChzdHJsZW4oZXJyc3RyKSAhPSAwKQ0KIAkJCSAgIHsNCi0JCQkgICBz
eXNsb2coTE9HX0VSUixlcnJzdHIsVkZRTkFNRSk7DQotCQkJICAgc3lzbG9n
KExPR19FUlIsc3RyZXJyb3IoZXJybm8pLFZGUU5BTUUpOw0KKwkJCSAgIHN5
c2xvZyhMT0dfRVJSLCIlcyIsZXJyc3RyLFZGUU5BTUUpOw0KKwkJCSAgIHN5
c2xvZyhMT0dfRVJSLCIlcyIsc3RyZXJyb3IoZXJybm8pLFZGUU5BTUUpOw0K
IAkJCSAgIH0NCiAJCQl9DQogICAgICAgICAgICAgICAgICAgICAgYnJlYWs7
DQpAQCAtMTEwLDExICsxMTAsMTEgQEANCiAgICBjYXNlIGNmbG9nb25seToN
CiAgICAgICAgICAgICAgICAgICAgICBpZiAoTE9HR0lORyAmJiBJc1ByaXZp
bGVnZWQoKSkNCiAJCQl7DQotCQkJc3lzbG9nKExPR19JTkZPLHN0cmluZyxW
RlFOQU1FKTsNCisJCQlzeXNsb2coTE9HX0lORk8sIiVzIixzdHJpbmcsVkZR
TkFNRSk7DQogCQkJDQogCQkJaWYgKChlcnJzdHIgPT0gTlVMTCkgfHwgKHN0
cmxlbihlcnJzdHIpID4gMCkpDQogCQkJICAgew0KLQkJCSAgIHN5c2xvZyhM
T0dfRVJSLGVycnN0cixWRlFOQU1FKTsNCisJCQkgICBzeXNsb2coTE9HX0VS
UiwiJXMiLGVycnN0cixWRlFOQU1FKTsNCiAJCQkgICB9DQogCQkJfQ0KIAkJ
ICAgICANCkBAIC0xMjUsNyArMTI1LDcgQEANCiANCiAJCSAgICAgaWYgKExP
R0dJTkcgJiYgSXNQcml2aWxlZ2VkKCkpDQogCQkJew0KLQkJCXN5c2xvZyhM
T0dfRVJSLHN0cmluZyxWRlFOQU1FKTsNCisJCQlzeXNsb2coTE9HX0VSUiwi
JXMiLHN0cmluZyxWRlFOQU1FKTsNCiAJCQl9DQogIA0KIAkJICAgICBpZiAo
c3RyaW5nW3N0cmxlbihzdHJpbmcpLTFdICE9ICdcbicpDQpAQCAtMTQxLDgg
KzE0MSw4IEBADQogCQkJDQogCQkJaWYgKExPR0dJTkcgJiYgSXNQcml2aWxl
Z2VkKCkpDQogCQkJICAgew0KLQkJCSAgIHN5c2xvZyhMT0dfRVJSLGVycnN0
cixWRlFOQU1FKTsNCi0JCQkgICBzeXNsb2coTE9HX0VSUixzdHJlcnJvcihl
cnJubyksVkZRTkFNRSk7DQorCQkJICAgc3lzbG9nKExPR19FUlIsIiVzIixl
cnJzdHIsVkZRTkFNRSk7DQorCQkJICAgc3lzbG9nKExPR19FUlIsIiVzIixz
dHJlcnJvcihlcnJubyksVkZRTkFNRSk7DQogCQkJICAgfQ0KICAgICAgICAg
ICAgICAgICAgICAgICAgIH0NCiAJCSAgICAgcmV0dXJuOw0K
--1589707168-1171649858-970422716=:9658--